Posted
by
timothy
on Wednesday June 20, 2012 @11:28AM
from the surely-they-miss-1-or-2 dept.

An anonymous reader writes "Five years after it was first introduced, Google's Safe Browsing program continues to provide a service to the 600 million Chrome, Firefox, and Safari users, as well as those searching for content through the company's eponymous search engine. According to Google Security Team member Niels Provos, the program detects about 9,500 new malicious websites and pops up several million warnings every day to Internet users. Once a site has been cleaned up, the warning is lifted. They provide malware warnings for about 300 thousand downloads per day through their download protection service for Chrome."

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Er, I guess I should have clicked your link before shooting my mouth off, rather than after:-)

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Er, I guess I should have clicked your link before shooting my mouth off, rather than after:-)

Er, I guess I should have read the code at the link you provided before correcting myself... since it appears that it does indeed connect to "safe browser servers" at Google.

I think I'll just shut up now, even if further perusal shows this comment to be wrong as well.

LOL? Well for starters that's the client side stuff. And this gets derped up to +5 informative? Holy crap haha.... if your comment was tongue in cheek, I salute you. Otherwise, let me just slowly back up and then run like fuck.

Uhhh...all that is is the client connect code friend, have Google released the code they run on their own servers? last i checked that was a big NO so who the hell knows what is going on there. Frankly with as much data as Google gathers already and the changes in the privacy policy I'd be leery of sending that company, or any other for that matter, every single website i visit so they can "check it" for me. That is what i had an AV that scans before load and a sandboxed browser for anyway.

Because it would be both inefficient and privacy-invasive to send every URL that is loaded to a server to do this check, the SafeBrowsing protocol takes the approach of downloading this data to the client. Every few minutes, the client will perform an update request to get new blacklist data from the server. This process is described in more detail under Update Process.

Accuracy can be hit or miss. A lot of people in the translation communty use tools like chiitrans, chiitrans2, Translation Aggregator(TA) and agth. Google reguarlly flags sites with these as malware and specifically mentions these as malware, when they're no such thing. They also regularly flag mentions of RPG maker 2k(JP) [famitsu.com] as malware. To me it seems more like the engine is looking for anything that injects or hooks, which chiitrans, TA and agth do. Or non-standard character sets which the old RPG maker

The plural of anecdote is not data. Since anecdote is all I have to offer, here goes: I occasionally run into its malware warnings, most, in fact all in recent memory, for some site I know for a fact has no ill intentions, though malicious adverts might always slip through, of course. What irks me most about those warnings isn't even the indiscriminate false positives, but much more the lack of detail as to just what was found to be suspicious. I for me would be much safer knowing exactly what the problem w

After digging around a little I did not find much useful knowledge about the accuracy and how it works.

I just put one of my domains online yesterday. It's OK now but the first couple of time I tried to access it I got one of those "This site could be dangerous to your computer" banners. I wonder if Google needs to crawl the site before it blesses it as safe.

Would you really want to work for someone so stupid they don't realize two people can have the same name? You could also tell them ahead of time it's not you in the mugshot. What would you have to lose? It might even help them remember you.

"Extortion"? Really? Unless mugshots.com is actually claiming you are that person, it has nothing whatsoever to do with you. People googling your name who are too stupid to realize multiple people can have the same name... well, I probably wouldn't want anything to do with them anyways.

And it can't even be extortion unless they are threatening to release the name unless you pay them money. They aren't, are they? No? Than welcome to the Internet, where 10,000 people have the exact same name as you.

Detects malicious websites, but allows mugshots.com to end up at the top of search results. My own site (with a myfullname.com), my twitter page, my linkedin profile, etc., etc., etc. are all now listed after a mugshots.com page for someone else with the exact same name as me. Mugshots.com is nothing but an extortion attempt. And I get to suffer because someone thug has the same name I do.

Anyone named Anonymous Coward is going to be taunted from grade school onward. Either that or he learns to fight.

Google stopped dealing with abuse on their own systems over a year ago. They don't correct any abuse complaints at all anymore. For example, if you take down a phishing site, there is always going to be a drop email somewhere in the php code of the phishing page. The stolen credentials get sent to this email address. If you report this illegal email address to google, they ignore it. These drop email addresses stay up and allow phishers to profit from their phishing campaigns for very very long periods

Somehow, I think if someone sees a form purporting to be from either Yahoo or Microsoft, but says right on it "Powered by Google Docs," and they still go ahead and enter their information, then they're stupid enough that they'll give away their information anyway at some point, so it doesn't make much difference if this stays up or not.

This is precisely what I'm talking about. One part of Google may care about phishing and malware (the Stop Browsing team). But Gmail doesn't care about drop emails. Google Docs doesn't care about phishing pages they host. Google Apps couldn't care less about malware payloads that you can download from their sites.

Abuse reports to Google fall on deaf ears. Google couldn't care less about crime on their own systems, unless it's copyright violations on Youtube when a bird song infringes a record label's intellectual property. Google is one of the worst companies on the internet with regards to responding to abuse on it's systems. Even nasty dens of garbage like OVH and iWeb respond faster.

This [blogspot.com] image from Google's blog post [blogspot.co.uk] shows that majority of the phishing sites are hosted in the US. Interestingly, most of Africa is relatively "clean", except for Algeria and South Africa.

The malware is not developed here. It is just America has lots and lots of old servers running unpatched wordpress, apache, and linux software full of vulnerabilities. Many slashdotters are under the impression most malware is still installed by a user clicking something and the problem is always between the monitor and keyboard and also that Linux is 100% safe and only IIS gets infected etc.

If you used Windows without AV software guess what? You are owned if you visited slashdot in late february or early march.

That's almost as vague as Google's warnings. Did the malware in this case target IE? Firefox? Chrome? Flash player? Java?Did it rely on a zero-day exploit? Or something that you just hadn't got around to patching?

I haven't run A/V for somewhere around a decade. I've never been infected. I visit/. on a regular basis, including the time in question. Obviously your blanket warning isn't accurate.

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

How do you think A/V companies know to add something to their definitions? Does it have to show an infection in an antivirus scan?Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing,

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

Because with well-written malware it is the only way to know, unless you routinely snapshot your system and do off-line verifications that your system files have not been modified.

How do you think A/V companies know to add something to their definitions?

There are many ways malware is discovered initially. It depends on the type of malware and the infection vector.

Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing, so I'm not infected."

No one (well, not me anyway) is claiming that A/V software never gives false negatives. But not having A/V software gives a lot more false negatives.

True, but the implication in your original post was that it was reasonable for people to run without AV -- but the approach you use, while better than AV, is hardly reasonable for anyone but hardcore Windows experts (to know what should or should not change) who are also willing to do snapshots and offline scans.

I think I quite clearly said _I_ don't run antivirus. There was no implication that it was a good idea for others; at least, I didn't mean it. If you took it that way, then maybe I need to be more careful how I word that statement.

It was a faulty ad using a flash exploit. If you didnt run flashblock your system got owned. If you hate av software you can download a free scanner from Kaspersky that doesnt effect your system or use malware bytes from filehippo. You need to run AV software in this day and age. Modern av software like avast doesnt slow your system down

Ok, so it was a flash exploit. That still doesn't say whether it was zero day or not. If it wasn't, then you were unpatched, and I wasn't, and I'd be safe. If it was zero-day, I was doing a lot of experimenting with Chrome at that point, which has sandboxed flash since at least 2010, meaning I'd still be safe. All without flashblock.

Well do not take this the wrong way or anything but if you do not run any AV software how do I know that your credible saying it doesn't slow your computer that much if you do not use it?

True Norton 360 and McCrappy circa 2006 was a total POS but that doesn;t mean they all are. Avast added only 3 second of bootup time to my computer and that is it and well worth it. Sandboxing slows your computer down. Anything besides DOS or pure assembly slow your computer down. I stand by my words when I say a go

And we still don't know if it was a zero-day exploit or not. For that matter, we don't know if it would have even infected you.Did you know that Avast's web shield doesn't know if you're vulnerable to the exploit or not? It simply warns you when it sees a malicious file, even if you don't have the vulnerable plugin. Just because it blocked something doesn't mean you would have been infected without A/V.

We've been generating that list for years. It's based on PhishTank data, updated every 3 hours, and uses Open Directory to decide if a site is "major". 46 domains are on the list today. 9 have been on the list since 2011 or earlier. One has been on the list since 2010 - Google.
Google is the last free hosting service unable to clean up their phishing problem. MSN, Yahoo, and various free hosting services have been successful at aggressively cleaning up phishing problems, and haven't been on this list, other than briefly, for years.

If anybody from Google is reading this, go over to your abuse department and apply a clue stick. It should embarrass someone that Google is the most clueless free hosting provider in the world about phishing.

Please mod this UP! Google is unable to deal with abuse on their own systems. They ignore reports of phishing drop emails hosted at Gmail. In fact they ignore most all reports of abuse submitted to them, period.

... what percentage of these sites are false positives? They don't really seem to mention that, but as with any antivirus pile, I'm sure a large number are false. They have a feedback form to request a fix if it comes up, because it obviously does. What's the turn around like? How many days do you have to live with not being able to talk to customers when it does?